Cri$cal

Infrastructure Security:
The Emerging Smart Grid

Cyber Security Lecture 3:
System Vulnerabili$es
Carl Hauser & Adam Hahn

Overview
System Vulnerabili$es
SoEware
Hardware
Side Channel
Social
Malware
Supply Chain

Security Mechanisms
Access Control
Malware Detec$on

Overview
System Vulnerabili$es
SoEware
Hardware
Side Channel
Social
Malware
Supply Chain

Security Mechanisms
Access Control
Malware Detec$on

Vulnerability Characteris$cs
Time introduced
Design

oEen due to incorrect, insucient system requirements

Implementa$on

Some error or overlooked detail in the coding process

Opera$onal

Result from the opera$onal use of soEware in some environment

System Components
SoEware
Hardware
Network

Impact

Conden$ality, Integrity Availability

Most Dangerous SoEware Errors

1. Improper Neutraliza$on of Special Elements used in an SQL
Command ('SQL Injec$on')
2. Improper Neutraliza$on of Special Elements used in an OS
Command ('OS Command Injec$on')
3. Buer Copy without Checking Size of Input ('Classic Buer
Overow')
4. Improper Neutraliza$on of Input During Web Page Genera$on
('Cross-site Scrip$ng')
5. Missing Authen$ca$on for Cri$cal Func$on
6. Missing Authoriza$on
7. Use of Hard-coded Creden$als
8. Missing Encryp$on of Sensi$ve Data
9. Unrestricted Upload of File with Dangerous Type
10. Reliance on Untrusted Inputs in a Security Decision
hhp://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf

Run-$me Memory Subdivision

Buer Overow Basics

Stack (grows down)

Buer Overow Basics

Buer larger than the allocated space

can overwrite return value
Ahacker can inuence return loca$on
to usurp control

Fundamental Problem

Related Problems
Integer wraparound

Can cause many issues with memory management

Unsigned/signed value conversions

In summary
C programming language is very fast
C programming language is not type-safe or
memory-safe language

Other languages have problems

Many recent vulnerabili$es found within Java JRE

TOCTTOU: Another Kind of Problem

Running setuid (i.e, as root)

Running concurrently

Essen$al problem: OS func$on (permission checking) cannot be correctly

performed in user-level processes using available Unix syscalls. [Example from Wikipedia]

Overview
System Vulnerabili$es
SoEware
Hardware
Side Channel
Social
Malware
Supply Chain

Security Mechanisms
Access Control
Malware Detec$on

Hardware Security
Ahacker may have physical access to hardware:
Example: smart meter

Ahacker can use physical access to:

Extract cryptographic keys or other data

Understand device func$on

Approaches

Reverse engineering
Side channel analysis

Hardware Reverse Engineering

Read memory/rmware
EEPROM, Flash/ROM, RAM

Monitor buses
Serial Peripheral Interfaces (SPI) bus/JTAG
Use logic analyzers to interpret bus signals protocols
Connect to bus, pins

Vendors oEen employ tamper-resistant

techniques
Cover components in epoxy

Overview
System Vulnerabili$es
SoEware
Hardware
Side Channel
Social
Malware
Supply Chain

Security Mechanisms
Access Control
Malware Detec$on

Side Channel
Side channel ahack

alterna$ve methods to obtain key from crypto system (i.e., not brute force,
cryptanalysis)
Requires some ability to monitor power/computa$on $me of system (usually
physical access)

Types of side channels:

Power consump$on of chip (dieren$al power analysis)

Timing of some algorithm

Example Timing analysis

RSA Encryp$on

computes (c = me mod n)

Can infer key based on whether

a mul$plica$on occurs every
itera$on

Source: Rostami, M.; Koushanfar, F.; Karri, R., "A Primer on Hardware Security: Models, Methods, and Metrics," Proceedings of the IEEE , vol.102, no.8, pp.1283,1295, Aug. 2014

Overview
System Vulnerabili$es
SoEware
Hardware
Side Channel
Social
Malware
Supply Chain

Security Mechanisms
Access Control
Malware Detec$on

Social Engineering
Humans are oEen the weakest link in a security
system
Social Engineering

ahemp$ng to gain and manipulate trust from others

in order to gain access to a system or informa$on

Examples:

Malware on USB when people nd a USB device,

theyll generally plug it in
Phone call people and try to impersonate IT sta or
other trusted par$es (e.g., Kevin Mitnick)
Phishing

Phishing Example
Phishing malicious email message which ahempts to come from trusted
source
Spear phishing very targeted phishing where ahacker leverages personal
informa$on about you to tailor the message

Why?

Email is usually not authen$cated

Emails contain :

Ahachments with malware (e.g., .pdf, .doc, .exe)

URLs to websites with malware (WSU uses Proofpoint URL Defense to defend
against this)

Example:

Overview
System Vulnerabili$es
SoEware
Hardware
Side Channel
Social
Malware
Supply Chain

Security Mechanisms
Access Control
Malware Detec$on

Malware
Malicious SoEware (Malware)

Runs on system without users consent

Does some malicious func$on

Malware categorize

Viruses, worms, trojan horses, spyware, dishonest

adware, scareware, crimeware

Key components

Infec$on/propaga$on method

SoEware vulnerabili$es, social engineering, etc

Shellcode to exploit a vulnerability & install malware

Payload

What malicious func$on is performed

Obfusca$on techniques

This quan$ta$ve illustra$on shows the early (yellow), middle (orange), and late
(red) stages in the spread of the Code Red worm over a period of 13 hours on
July 19, 2001 (360,000 hosts) (www.caida.org)

Infec$on/Propaga$on
How does malware spread?
Remotely accessible soEware vulnerabili$es (e.g., buer overows)
File sharing

Download from website

<A href=badstu.exe>En$cingImage.jpg</A>

Portable media (USB keys, oppy disks, CDROMS, etc.)

En$cingImage.jpg.exe (Windows likes to hide known le suxes

Automa$c execu$on of a le when media inserted
Automa$c installa$on of a driver when new USB device inserted

Anything that can contain executable code is poten$ally a threat:

Documents with macros (Word, Excel, PDF, )
Email ahachments

Hard-coded, well known authen$ca$on creden$als

Payload Malicious func$on

Low-level extor$on (encrypt data, holding it hostage un$l vic$m pays $$$)

hhp://arstechnica.com/tech-policy/2015/04/police-chief-paying-the-bitcoin-ransom-was-the-
last-resort/

Steal nancial/credit card data

hhp://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-malware-contained/

Steal privacy data

Send SPAM emails to your colleagues, etc.

hhp://www.infosecurity-magazine.com/news/socialpath-malware-backs-up-to-cc/

hhps://nakedsecurity.sophos.com/2014/08/05/how-to-send-5-million-spam-emails/

Log user keystrokes (acquire passwords for bank accounts, etc.)

hhp://www.csoonline.com/ar$cle/2112405/social-networking-security/how-keylogging-
malware-steals-your-informa$on--includes-video-.html

Persistent ads (some$mes for malware removal soEware)

hhps://zeltser.com/malver$sing-malicious-ad-campaigns/

Botnets
Botnet:

a collec$on of computers (perhaps hundreds of thousands)

running remote-control soEware under the (illegi$mate)
control of an individual or group

Typically the computers are doing everyday work for their

legi$mate owners as well as par$cipa$ng in the botnet
Control takes place using IRC (Internet Relay Chat) or other
peer-to-peer soEware
Uses:

DDoS
Spam sending
Click fraud
Distribute new exploit code

Disguise/Obfusca$on Techniques
Encrypt the virus code

Constant encryp$on technique and variable key

Encrypted les stored on system
Encrypt network C&C communica$on

Variable encryp$on technique and variable key (so-called

polymorphic virus)

Obfusca$on

Re-write binaries so they dierent, but func$onally

equivalent
This can be applied inside the virus so copies are not
literal but rather func$onal copies
Tools available to make it easy for the virus writer

Rootkits
Ahackers want to maintain administra$ve (root)
privileges aEer an ahack
Types
Kernel mode

Modify OS kernel or device driver to maintain highest privilege

level
Direct Kernel Object Manipula$on (DKOM) - rootkit directly
modies entries in the OS process table, scheduler to hid presence

Bootkit

Modies Master Boot Record (MBR) to manipulate OS when it

boots

Dicult to detect/remove because has same privileges

as OS/AV soEware

Overview
System Vulnerabili$es
SoEware
Hardware
Side Channel
Social
Malware
Supply Chain

Security Mechanisms
Access Control
Malware Detec$on

Supply Chain Issues

Modern informa$on technology has very complex
supply chain
SoEware

Examples:

Pla|orms: Opera$ng systems, services, drivers

Third-party libraries (e.g., graphics, math, strings, encryp$on)

Can contain unknown backdoors, vulnerabili$es

Hidden hardware

Addi$onal processing capability built into a product that does

something other than the main purpose of the product
E.g., Network snier that looks for password-containing packets;
periodically sends to ahacker

The hardware operates completely outside the control of the

installed soEware/rmware of the main product

Reec$on on Trus$ng Trust

Ken Thompson
Turing Award Lecture, 1983

Lesson: Cant trust anything you didnt completely

develop yourself

SoEware Supply Chain

hhps://buildsecurityin.us-cert.gov/ar$cles/best-prac$ces/acquisi$on/a-systemic-approach-assessing-soEware-supply-chain-risk

Supply Chain Risk

Examples:

Lenovo Supersh

Malicious soEware added to laptops directly from store to MitM

secure web conntec$ons

hhp://www.cnet.com/news/lenovos-supersh-screwup-highlights-biggest-
problem-in-soEware/

FBI report on knock-o Cisco device

Large number of knock-o devices found within govt

hhp://www.ny$mes.com/2008/05/09/technology/09cisco.html?_r=0

Dragony/Energe$c Bear hack

Sophis$cated ahacks against both energy companies and vendors

hhp://www.symantec.com/connect/blogs/dragony-western-energy-
companies-under-sabotage-threat

HP devices shipped with malware

hhp://www.gao.gov/assets/590/589568.pdf

Overview
System Vulnerabili$es
SoEware
Hardware
Side Channel
Social
Malware
Supply Chain

Security Mechanisms
Access Control
Malware Detec$on

Access Control
Enforced by

Hardware (processor)
SoEware (OS)

Hardware enforced

Various HW enforced privilege levels (or rings)

Ring 3 user mode applica$ons (e.g., Firefox, MS Word)

Ring 0 kernel mode (e.g., Windows kernel, Linux)
Privileged instruc$ons include memory mgmt, I/O

CPU checks instruc$on vs privilege level before

execu$ng
System calls & hardware interrupts allow data ow
across rings

Access Control
Opera$ng System

Based on subjects and objects

Subject user, process

Object le, hardware driver access

Access control matrix

Specify whether the subject and read, write, or execute the object

Approaches

Discre$onary - object owner determine who has access

Mandatory - security administrator determines who has access to the objects
Role-based subjects role determines their access to le

Example: Linux le permissions (discre$onary)

Format:

R read, W write, X execute

|Owner|Group|Everyone |

-rw-r----- 1 root shadow Feb 4 16:15 shadow

-rw-r--r-- 1 root root Feb 4 16:15 passwd
-rwxr-xr-x 2 ahahn ahahn Sep 10 2014 le.txt

Overview
System Vulnerabili$es
SoEware
Hardware
Side Channel
Social
Malware
Supply Chain

Security Mechanisms
Access Control
Malware Detec$on

Malware Detec$on
An$virus soEware
Compares programs to known malware paherns
Analyzes programs for malicious opera$ons
Scanning
Pahern matching on known virus signatures
Integrity checks: has a le changed (use checksums)
Run program in emulated environment and see if it
produces either data that matches a signature or an
execu$on sequence that matches a signature

Malware Detec$on
Dicult because:
Malware performs muta$on/obfusca$on/encryp$on
AV companies must rst obtain the malware in the
wild before developing a signature
Only common malware is detected
Detec$on of new, sophis$cated malware tends towards 0%
Malware developers can also use AV to test their malware

AV poorly detects malware samples using well known

obfusca$on techniques
hhp://www.sans.org/reading-room/whitepapers/casestudies/eec$veness-an$virus-
detec$ng-metasploit-payloads-2134

Malware detec$on in control systems

Tradi$onal AV Blacklist of known malicious
signatures
Control systems suggests whitelists
Specify all programs that should execute, block others

Example
MS Windows
Specify allowed applica$ons with Group Policy
AppLocker , rules based white list on Win 7, Server 2008
Can be bypassed

ICS Whitelist (hhps://www.icswhitelist.com)

Maintains library of hashes of common ICS applica$ons
Can be used to compare running programs against known valid
program hashes

End